AGX Xavier 35.2.1 fails to flash with burnt fuses

Hi all,

We are getting Secure Boot and UEFI Secure Boot working for our AGX Xavier. We have gotten the process working well with the 35.4.1 version of the SDK.

However we have some dependencies that don’t let us switch to 35.4.1 until the next cycle of HW, meaning we are stuck on 35.2.1 for at least another month.

We want to be able to use the same secure boot path now that we will later. I know that UEFI secure boot is not “officially” supported until 35.4.1 but is there still some support for it in 35.2.1 even if it isn’t as clean?

The bigger issue we are seeing is that as soon as we use the fuseblob to burn fuses (We tried generating the blob with both 35.2.1 and 35.4.1) the 35.2.1 flash.sh and any generated flashcmd no longer works. It acts as if it can’t see the device or that it isn’t in forced recovery mode. As soon as we try the exact same commands with 35.4.1 it works.

This is the command used to generate the fuseblob:

sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 CHIPREV=2 <Path to SDK export>/Linux_for_Tegra/odmfuse.sh -i 0x19 -p --noburn -k <path to keys>/sb_pair.pem --auth NS --disable-jtag jetson-xavier

Is there a known issue with 35.2.1 and AGX units with burnt fuses? Is there something else that I can do to debug why this issue is happening?

Thanks,
Joseph

hello jjsalzano,

is there any logs for reference?

Hi Jerry, which logs are you looking for?

If we just try and run sudo ./flash.sh jetson-xavier mmcblk0p1 to test it does anything we just get:

###############################################################################
# L4T BSP Information:
# R35 , REVISION: 2.1
# User release: 0.0
###############################################################################
Error: probing the target board failed.
       Make sure the target board is connected through
       USB port and is in recovery mode.

We have also built the image the same as we have in 35.4. with:

sudo -E BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 FUSELEVEL=fuselevel_production ./flash.sh --no-flash -u ../keys/secure-boot/sb_pair.pem --uefi-keys ../keys/uefi/uefi_keys.conf jetson-xavier mmcblk0p1

Running the flash command after gives us this:

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[   0.1120 ] Parsing partition layout
[   0.1198 ] tegraparser_v2 --pt secureflash.xml.tmp
[   0.1281 ] Boot Rom communication
[   0.1393 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm
[   0.1445 ] BR_CID: 0xa80219116430b0071400000011010100
[   0.1723 ] Boot Rom communication completed
[   2.2574 ] tegrarcm_v2 --isapplet
[   2.2593 ] Applet version 01.00.0000
[   2.2841 ] Sending BCTs
[   2.2889 ] tegrarcm_v2 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.signed --download bct_mem mem_rcm_sigheader.bct.signed
[   2.2909 ] Applet version 01.00.0000
[   2.3170 ] Sending bct_bootrom
[   2.3177 ] [................................................] 100%
[   2.3290 ] Sending bct_mb1
[   2.3439 ] [................................................] 100%
[   2.3665 ] Sending bct_mem
[   2.4175 ] [................................................] 100%
[   2.4936 ] Generating blob
[   2.5075 ] tegrahost_v2 --chip 0x19 --generateblob blob.xml blob.bin
[   2.5100 ] number of images in blob are 11
[   2.5127 ] blobsize is 6639704
[   2.5130 ] Added binary blob_nvtboot_recovery_cpu_t194_sigheader.bin.signed of size 233040
[   2.5196 ] Added binary blob_nvtboot_recovery_t194_sigheader.bin.signed of size 206016
[   2.5228 ] Added binary blob_preboot_c10_prod_cr_sigheader.bin.signed of size 24016
[   2.5252 ] Added binary blob_mce_c10_prod_cr_sigheader.bin.signed of size 145184
[   2.5288 ] Added binary blob_mts_c10_prod_cr_sigheader.bin.signed of size 3430416
[   2.5350 ] Added binary blob_bpmp-2_t194_sigheader.bin.signed of size 1007392
[   2.5372 ] Added binary blob_tegra194-a02-bpmp-p2888-a04_lz4_sigheader.dtb.signed of size 90608
[   2.5390 ] Added binary blob_spe_t194_sigheader.bin.signed of size 95232
[   2.5411 ] Added binary blob_tos-optee_t194_sigheader.img.signed of size 914992
[   2.5425 ] Added binary blob_eks_t194_sigheader.img.signed of size 5136
[   2.5433 ] Added binary blob_tegra194-p2888-0001-p2822-0000_sigheader.dtb.signed of size 487488
[   2.5442 ] Sending bootloader and pre-requisite binaries
[   2.5522 ] tegrarcm_v2 --download blob blob.bin
[   2.5555 ] Applet version 01.00.0000
[   2.5848 ] Sending blob
[   2.5850 ] [................................................] 100%
[   4.5096 ] tegrarcm_v2 --boot recovery
[   4.5118 ] Applet version 01.00.0000
[   5.5478 ] tegrarcm_v2 --isapplet
[   5.5499 ] USB communication failed.Check if device is in recovery
[   5.5541 ] tegrarcm_v2 --ismb2
[   5.5557 ] USB communication failed.Check if device is in recovery
[   5.7441 ] tegradevflash_v2 --iscpubl
[   5.7466 ] Cannot Open USB
[   6.8170 ] tegrarcm_v2 --isapplet
[   6.8190 ] USB communication failed.Check if device is in recovery
[   7.2393 ] tegrarcm_v2 --ismb2
...
...

If we run the same build/flash from 35.4.1 it completes the flash (I have a script that does the exact same things, the only difference is I swap the 35.2.1 for 35.4.1 in the tar extract steps)

hello jjsalzano,

is the device being detected by $ lsusb?
image flashing should works… did you download Jetpack-5.1/ r35.2.1 via SDK Manager?

Yes and yes. And if I run the exact same command with 35.4.1 it works. Before I burnt the fuses it also worked. So its something with the production fuses burnt that seems to trigger this. Are there any known issues about that?

As the UEFI secure boot is not “officially” supported until 35.4.1, we’re not able to do the backward investigation at the old R35.2.1 SW. Sorry for that.

But I am first asking about just normal secure boot. I am not even trying to use UEFI now. All I did was burn the PKC secure boot fuses and now no image flashes with 35.2.1.

I am needing to get PKC secure boot working first.

Hey @jjsalzano

Let me help you with my humble experience on the tegra platforms.

I recommend to follow the instructions described in the link below:
https://docs.nvidia.com/jetson/archives/r35.2.1/DeveloperGuide/text/SD/Security/SecureBoot.html#secure-boot

Also I recommend to use the following command to burn the tegra fuses.

$ sudo ./odmfuse.sh --test -X xavier_fuse_configuration.xml -i 0x19 jetson-xavier

Note: --test is used for test mode. You need to remove it once the mode test pass successfully.

Please me know if you need assistance on preparing the fuse_configuration XML file.

Hi @ilies.chergui

Thanks for taking the time to respond.

We don’t have an issue with generating the fuse blob or burning the fuses. We burnt the fuses and successfully can sign and boot an image with the 35.4.1 version of the SDK.

What isn’t working is the EXACT same flash commands (minus UEFI) with 35.2.1. I can even build the fuse blob with 35.2.1, burn the fuses, and flash successfully with 35.4.1, its just the flash of 35.2.1 that isn’t working for us.

hello jjsalzano,

let me have confirmation. is this device has fused or not?

here’s another approach for checking.
you may boot-up the target, and checking the fuse values.
there’re properties under… /sys/devices/platform/tegra-fuse/, you may cat the nodes for checking its values.

Hi @jjsalzano

I can not see an issue in the logs you are sharing except the USB losing connection.

Could you please share logs from both host machine and serial UART ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.